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Abstract — We show how to solve a generalised version of 
the Multi-sequence Linear Feedback Shift-Register (MLFSR) 
problem using minimisation of free modules over W[x]. We show 
how two existing algorithms for minimising such modules run 
particularly fast on these instances. Furthermore, we show how 
one of them can be made even faster for our use. With our 
modeling of the problem, classical algebraic results tremendously 
simplify arguing about the algorithms. For the non-generalised 
MLFSR, these algorithms are as fast as what is currently known. 
We then use our generalised MLFSR to give a new fast decoding 
algorithm for Reed Solomon codes. 



The 



I. Introduction 
Multi-sequence Linear Feedback Shift-Register 



(MLFSR) synthesis problem has many practical applications 
in fields such as coding theory, cryptography and systems 
theory, see e.g. the references in JT]. The problem can be 
formulated as follows: over some field F, given I polynomials 
5i(x), . . . , Sg(x) £ F[x] and £ "lengths" mi, . . . ,mg £ Z + , 
find a lowest-degree polynomial A(x) such that there exists 
polynomials f2i(x), . . . , 0^(x) satisfying 



A(x)Si(x) = tti{x) mod x r ' 
deg A > dcgfij, 



!,...,£ 



Several algorithms exist for solving this problem, some using 
Divide & Conquer (D&C) techniques and some not. Of the 
latter sort, the fastest have running time 0(£m 2 ), where 
m = maxfrnj: Schmidt and Sidorenko's corrected version 
of Feng and Tzeng's Berlekamp-Massey generalisation [fl~|- 
0; as well as Wang et al.'s lattice minimisation approach 
J4). The best DC algorithm is Sidorenko and Bossert's variant 
of the corrected Feng-Tzeng BMA and has running 
time 0(£ 3 m log 2 m log log m). Obviously, whichever is fastest 
depends on the relative size of i and m. 

In this paper, we give algorithms that solve the following 
generalisation (MgLFSR): given S\{x), . . . , Sg (x) £ F[x], 
moduli Gi(x), . . . , Ge(x) £ F[x] as well as weights v £ 7L+ 
and wo,..., We £ No, find a lowest-degree polynomial A(x) 
such that there exist polynomials Oi(x), . . . , Qe(x) satisfying 



A(x)$s(x) = Oj(x) mod Gi{x) 
v deg A + wo > v deg fl; + Wi , 



1. 



,1 (1) 



We model the above problem as that of finding a "minimal" 
vector in a certain free F[x] module. Such a vector can be 
found as a row of any basis of the module which satis- 
fies certain minimality properties, and standard algorithms in 



the literature do this. We describe the Mulders-Storjohann 
algorithm |6j and give an improved complexity analysis 
for our case, arriving at the running time 0(£ 2 m 2 ), where 
m = maxijdegGi + WiV^ 1 }. We then demonstrate how this 
algorithm is amenable to two distinct speed-ups: 

> A D&C variant achieving 0(£ 3 m log 2 m log log m); for 
general module reduction, this algorithm is known as 
Alekhnovich's 0, but we point out it is a variant of 
Mulders-Storjohann. 
• A new demand-driven variant utilising the special form 
of the module of the MgLFSR to achieve complexity 
0(£mP(m)), where P(m) = m if all Gi are powers 
of x and P(m) = m log m log log m otherwise. 
These complexities match the best known ones for the MLFSR 
case and generalise very well to the MgLFSR. 

We finally demonstrate the utility of the MgLFSR by giving 
a new algorithm for decoding Reed Solomon codes beyond 
half the minimum distance. 



II. Preliminaries 



A. Notation 



In the sequel, we will running refer to the Si, Gi as well as 
the weights v, Wq , . . . , Wi as being from a particular instance 
of the MgLFSR. We will use the term "solution" of this 
MgLFSR for any vector (A,a;i, . . . ,ut) £ F[x] £+1 which 
satisfies the equations of (Q~|i for all i > 1; a solution where 
deg A is minimal is called a minimal solution, and we seek 
one such. 

We will assume that deg Si < deg Gi for each i; for 
otherwise replacing Si with (Si mod Gi) admits exactly 
the same solutions to the MgLFSR. We also assume that 
wo < maxijdcg Si + Wi} since otherwise (1, Si, . . . , St) is 
the minimal solution. 

We extensively deal with vectors and matrices over F[x]. 
We use the following notational conventions: 

• A matrix is named uppercase: V. Rows use the same 
letter lowercase and indexed: Vi. If v is a vector, then 
Vj are its elements; the cells of matrices have double 
subscripts: We'll use zero-indexing, so if v has 
length £ + 1 its elements are vq, • • • , Vg. 

• The degree of a non-zero vector v is degf = 
maxj;{degVi}. The degree of a matrix V is degV = 
'^2 i dcgVi. The max-degree of V is maxdcg V = 
maxij{deg v itj }. 



• Let the leading position of a non-zero vector v be 
LP(v) = max{j | dcgVj = dcgv}. The leading term 
is the polynomial u(v) = i>lp(i>)- 
In complexity estimates, we will let m = maxijdegGi + 
^}. P(m) will be the cost of multiplying two polynomials 
of degree at most m; we can set P(m) = m log m log log m 
using Schonhage-Strassen, see e.g. HO Theorem 8.23]. 

B. Satisfying the congruence equations 

We can consider the space Ai of all vectors 
(A, coi, . . . ,u)f) G F[x] £+1 such that AS* = w i mod G, 
for i = 1, .,.,£. Solutions are thus those vectors such that 
v deg A + wq > v deg w, + Wi. 

All restrictions defining Ai are F[x]-linear so Ai is a 
module over ¥[x]. Shortly, we'll see that Ai is free, so any 
finite basis can be represented as a matrix where each row 
corresponds to a basis element. We will in the sequel often 
simply say "basis" for such a matrix representation. 

Lemma 1: The following is a basis for Ai: 

1 Si S2 ■ ■ ■ Si 





Gi 

Proof: Clearly, each row of M is in Ai. Since any vector 
v G Ai satisfies v^Si = u,; mod Gi for all i > 1, it means 
there exists some pi, . . . ,pi G F[x] such that Vi = voSi+piGi. 
Therefore v = I'oJTio + PxTrii + . . . + pimi. ■ 
To deal with the weights of the MgLFSR in an easy manner, 
we will introduce a mapping which will "embed" the weights 
into the basis. Define $ : F[x] f+1 -> F[x]^ +1 by 

(a (x),...,at(x)) ^ (x w °a (x v ),...,x wt ai(x v )) 

In the case of MLFSR, $ is simply the identity function. 
Extend $ element-wise to sets of vectors, and extend <I> row- 
wise to (I + 1) x (£ + 1) matrices such that the ith row of 
$(V) is Note that $(Ai) is a free F^J-module of 

dimension I + 1, and that any basis of it is by sent back 
to a basis of M. 

Lemma 2: A non-zero s 6 Ai is a minimal solution to the 
MgLFSR if and only if LP($(s)) = and for all non-zero 
$(6) e $(M) with LP($(b)) = then deg$(s) < deg $(6). 

Proof: s = (A, fii, . . . , Cli) € Ai is a solution to the 
MgLFSR if and only if LP($(s)) = 0, since z^dcg A + w > 
vdegfli + Wi <S=^ deg(x Wo A(x u )) > deg(x w 'n t (x u )). 
Since deg $(6) = v deg 60 whenever LP($(6)) = 0, s is then 
a minimal solution if and only if dcg($(s)) is minimal for 
vectors in ^(A^) with leading position 0. ■ 

C. Module minimisation 

Definition 3: A full-rank matrix V E F[.x] (f+1)><(£+1) is 
in weak Popov form if an only if the leading position of 
all rows are different. The orthogonality defect of V is 
A(V) = deg V — deg det V. 



The concept of orthogonality defect was introduced by Lenstra 
||9l for estimating the running time of his algorithm on module 
minimisation; we will use it to a similar effect. The following 
lemma gives the foundations for such a use; we omit the proof 
which can be found in iflOl : 

Lemma 4 ( i T/Q] Lemma 11]): If a matrix V over ¥[x] is in 
weak Popov form then A(V) = 0. 

Note that for any square matrix V, A(V) > 0; thus since the 
determinant is the same for any basis of the module for which 
V is a basis, A(V) measures how much deg V is greater than 
the minimal degree possible. Due to its special form, M has 
particularly low orthogonality defect: 

Lemma 5: A($(A/)) = maxjwj + ^degS*i(x)} — wo < 
vm — wo. 

Proof: Since M is upper triangular det($(M)) = 
x w ° nLi x w 'G l (x") and the lemma follows. ■ 
Lastly, the crucial property we need for matrices in weak 
Popov form: 

Lemma 6: Let V <E F[x]^ +1 ^ x ^ +1) be a basis in weak 
Popov form of a module V. Any non-zero b G V satisfies 
degi> < degb where v is the row of V with LP(v) = LP(6). 

Proof: Since V is a basis of V, there exists po, . . . ,pe G 
¥[x] such that b = P0V1 + . . . + piVg where the Vi are the 
V. But the Vi all have different leading position, so the p^tr, 
must as well for those pi 7^ 0. Therefore, there is exactly 
one j such that LP(6) = LP(wj) = LP(pjVj) and degb = 
deg(pjVj) = degpj + degvj. ■ 

Combining Lemma [2] and Lemma [6] we see that a basis for 
$>(A4) in weak Popov form must contain a row <p(s) such 
that s is a minimal solution to the MgLFSR. Any algorithm 
which brings ¥[x] -matrices to weak Popov form can thus be 
used to solve the MgLFSR. 

III. Simple minimisation 

Definition 7: Applying a row reduction on a full-rank 
matrix over F[a;] means to find two different rows Vi,Vj, 
dcgv.; < dcgVj such that LP(uj) = LP(vj), and then replacing 
Vj with Vj — ax s Vi where a G F and 6 G No are chosen such 
that the leading term of the polynomial LT(vj) is cancelled. 

Define a value function for vectors ip : ¥[x] l+1 — > No: 

tp(v) = (£ + 1) deg v + LP(v) (2) 

Lemma 8: If v'j is the vector replacing vj in a row reduc- 
tion, then ip(Vj) < ip(vj). 

Proof: We can't have degu' > dcgVj since all terms 
of both dcgVj and ax Vi have degree at most degVj. If 
deg v'j < degVj we are done since LP(i^-) < £ + 1, so assume 
degu' = deg it, . Let h = lp(wj) = LP(i?j). By the definition 
of leading position, all terms in both Vj and ax Vi to the 
right of h must have degree less than degVj, and so also all 
terms in v'j to the right of h satisfies this. The row reduction 
ensures that deg v'j h < deg Vj t h, so it must then be the case 
that l.p(v'j) < h. M 



The following elegant algorithm for general F[x] -module 
minimisation is due to Mulders and Storjohann J5]. We have 
specialised the analysis for only our case: 



Algorithm 1 Mulders-Storjohann 
Input: V = <P(M). 

Output: A basis of <1>(.M) in weak Popov form. 

1 Apply row reductions on the rows of V until no longer 
possible. 

2 return V. 



Lemma 9: Algorithm Q] is correct. It performs less than 
(£ + l)(m — wqv' 1 + 2) row reductions and has asymptotic 
complexity 0(£ 2 m 2 ). 

Proof: Since the row reductions are performed over 
F[x], we first need to argue that we do not leave the F[x"] 
module for V to continue to be a basis of $(.M) after 
each row reduction: however, since any u, v £ <&{M) have 
dcgUi = dcgVi mod v for all i, the x s scalar in each row 
reduction is a power of x v \ thus, they are indeed F[x"] row 
reductions. Since we can apply a row reduction on a matrix if 
and only if it is not in weak Popov form, the algorithm must 
bring V to weak Popov form in case it terminates. 

Termination follows directly from Lemma [8] since the value 
of a row decreases each time a row reduction is performed. 
We can be more precise, though. For any non-zero ueM: 

^($(t;)) = {£ + l)(i/degVLP(*(«)) + *ulp(*(«))) +lp($(«)) 
= (£ + l)w L P(*( v )) + LP($(u)) mod {£ + l)v 

So on any given interval of size (£ + l)v, ijj($(v)) can 
attain at most £ + 1 of the values, depending on its leading 
position. Denote now by <&(J7) the matrix in weak Popov 
form returned by the algorithm. Due to the above, the algo- 
rithm will perform a row reduction on the ith row at most 
r^i;0K$M)- times. Since dcg($(E/)) = 

degdet($([/)) = degdet($(M)) and the LP($(m.;)) are all 
different, the total number of row reductions is then upper 
bounded by: 

Etc r*-w*("»i))-^(*("i)))i 

< £ + 1 + ^±±(deg($(M)) - deg($(C/))) + LP($(m )) 

< £±iA($(M)) + 2^+l (3) 

For the asymptotic complexity, note that during the al- 
gorithm, no polynomial in V will have larger degree than 
maxdeg ($(M)) = vm. Since the polynomials in $>(A4) are 
sparse with only every lAh coefficient non-zero, they can be 
represented and manipulated as fast as usual polynomials of 
degree m. One row reduction consists of £ + 1 times scaling 
and adding two such polynomials. ■ 

IV. The Divide & Conquer speed-up 

Algorithm Q] admits a D&C version which is due to 
Alekhnovich 0. However, he seemed not to be aware of the 
work of Mulders and Storjohann, and that his algorithm is 
indeed a variant of theirs. Since all the formal results we need 



are in (7) — as well as the more general analysis in CPD — 
we will here only give an overview of the algorithm and its 
connection to Algorithm Q] as well as the complexity result. 

The algorithm works by structuring its row reductions in 
a tree-like fashion; more precisely it hinges on the following 
series of observations, all of which are proved in Q: 

1) Imagine the row reductions bundled such that each 
bundle reduces maxdeg V by 1, where V is the result 
of applying all earlier row reductions to the input. 

2) To calculate the row reductions in one such bundle on 
V, one needs for each row Vi of V to know only the 
monomials in Vi having degree degUj. 

3) Therefore, to calculate a series of t such bundles, one 
needs to know only monomials of degree greater than 
degi>i — t. Call the matrix containing only these a t- 
projection of V. 

4) Any series of row reductions can be represented as a 
matrix U £ F[x]( £+1)x ^ +1) where the product UV is 
then the result of applying those row reductions to V. 

5) Thus, we can structure the bundles in a binary tree, 
where to calculate the row reduction matrix for some 
node, representing say t bundles, given the matrix V, one 
first recursively calculates the left half of the bundles on 
a i/2-projection of V to get a row reduction matrix Ui. 
Then recursively calculate the right half of the bundles 
on a t/2-projection of U\V to get U2, and the total row 
reduction matrix becomes UiV\. 

We have exactly the same choice of row reductions as in 
Algorithm [T] but the computations are now done on matrices 
where each cell contains only one monomial (since, in the 
leaves of the tree, we work on 1 -projections), speeding up 
those calculations by a factor m. Collecting the row reductions 
is then done using matrix multiplications. 

That Alekhnovich's algorithm can bring $(M) to weak 
Popov form follows immediately from its general correctness; 
however, for a better estimate on its running time, we need 
to correctly consider the effects of weights. This is not done 
in Q, but it was done by Brander in IfTTI . Along with 
observations similar to those in Section [HI] for our case we 
get: 

Lemma 10: Alekhnovich's algorithm on $(M) has asymp- 
totic complexity 0(£ 3 P(m) log m) 

Proof: Inserting into IfTTI Theorem 3.14], we get com- 
plexity 0(£ 2 t) for computing the row reductions, added with 
0(£ 3 P(v~ 1 t)\og(t)) for all matrix multiplications, where 
t = deg($(M)) - deg($(Z7)) and ®(U) is the output. In 
our case, we set t = A($(M)) < vm to ensure $(U) is in 
weak Popov form. However, Brander used in both estimates 
that the number of row reductions was bounded by 0(£t); 
since we showed in Lemma [9] that it was indeed only 0(£m), 
we can compute the row reductions in only 0(£ 2 m) and the 
matrix multiplications in 0(£ 3 P(m) log to). ■ 

V. The Demand-driven speed-up 

We will show how Algorithm Q] for MgLFSR admits a 
speed-up by the following observation: it is essentially suf- 



ficient to keep track of only the first column of V during the 
algorithm, and then calculate the other entries when the need 
arise. The resulting algorithm bears a striking resemblance to 
the Berlekamp-Massey for MLFSR [fl~), though of course the 
manner in which these algorithms are obtained differs. 

Overload ip to N x {0, . . . , £} ->■ N by ip(6,i) = (£ + 
l)9+i, i.e. for any non-zero v e A4, 4>{ v ) = ip(degv,LP(v)). 
Define the helper function 

previous^, i) = argmaxg' {ip(8' , i') \ ip(8' , i') < ip(9, i)} 

previous gives the degree and leading position a vector in 
Q(A4) should have for attaining the greatest possible Rvalue 
less than ip(9,i). 



Algorithm 2 D-D variant of Mulders-Storjohann 

Input: S t = x Wi Si(x"), G l = x Wi Gi(x v ) for i = 1,...,£ 
Output: A(x), a minimal solution to the MgLFSR 

1 (A o ,Ai,...,A < ) = (l,0 J ...,0) 

2 ajX 6j = lt(Gj) for j = 1, . . . ,£ 

3 (9, i) = (max^degS^}, argmax^degSj}) 

4 while dcg A < 9 do 

5 a — coefficient to x in (XoSi mod Gi) 

6 if a ^ then 

7 if 9 < 9i then swap (Arj,a, 6) and (Xi,ai,0i) 

8 A = A - %x e - 6i \i 

9 (9, i) = previous(0, i) 

10 return A 



We will prove the correctness of the algorithm by showing 
that the computations correspond to a possible run of a slight 
variant of Algorithm [T] first we need a technical lemma: 

Lemma 11: Consider a variant of Algorithm Q] where we, 
when replacing some Vj with v'j in a row reduction, instead 
replace it with v'j = ("Uj- q> u j- i m °d Gi, . . . ,v'j £ mod Gg). 
This does not change correctness of the algorithm or the upper 
bound on the number of row reductions performed. 

Proof sketch: Correctness follows by showing that each 
of the £ modulo reductions could have been achieved by a 
series of F[x"] row operations on the current matrix V after the 
row reduction producing v', since then V remains a basis of 
This is done for each position h > 1 by keeping track 
of rows of the current V that can be F^J-linearly combined 
to the vector = (0, . . . , 0, Gh, 0, . . . , 0) which is initially a 
row of V. After row reducing other rows we can then safely 
modulo reduce the hth position. Furthermore, these rows all 
have V'-value at most ij:(gh), so whenever one of them is row 
reduced, the hth position modulo reduction has no effect. 

Since ip( v j) ^ i > { v 'j) me P r °of of Lemma [9] shows that 
the number of row reductions performed is not worse than in 
Algorithm Q] ■ 

Lemma 12: Algorithm [2] it is correct. 

Proof sketch: Let V be the matrix continually changing 
in LemmaQT[s variant of AlgorithmQ] Let us say for a matrix 
U that there is a "conflict on if LP(«i) = LP(tij) and 



degitj < degMj, i.e. one could perform a row reduction on 
Ui,Uj. Observe that initially V = $(Af) has exactly one 
conflict, and that after every row reduction, either there is 
only one conflict and it involves the replaced row, or there are 
zero conflicts and the algorithm is finished. Thus for notational 
convenience, we consider a further variant of Algorithm Q] 
where we possibly swap the two rows after a row reduction 
such that the reduced is the zeroth row afterwards. Note 
furthermore that initially LP(uj) = i for i > 1, and that the 
above swapping strategy would keep also this invariant during 
Algorithm Q] 

One can then show the following additional invariants: 

1) Each iteration of Algorithm [2] where lines 7-8 are run 
correspond to one row reduction on V; 

2) (Ao, • • • , Xe) will correspond to the first column of V; 

3) ctjX 6j will be the leading monomial of LT(vj) for j > 1; 

4) </>M<V>(M 

These invariants are clearly true after initialisation. By assum- 
ing they are true on entry to the loop body, one can then 
show they are true on exit, using that for any row v of V, we 
have Vj = (voSj mod Gf) for j > 1, Invariant [2] then gives 
correctness by correctness of Algorithm [T] ■ 
For complexity estimates, define P(t) as the complexity of 
calculating Line|5]and Line[8] with t being the maximal degree 
of the in-going polynomials. We could calculate Line [5] as a 
polynomial multiplication followed by a division, so at least 
P(t) C 0(P(t)). However, in certain cases we can do better: 
if all Gi(x) are powers of x, the modulo reduction in Line 
[5] is free, and we can perform the remaining computation in 
only 0(t). 

Lemma 13: Algorithm [2] has computational complexity 

0(£mP{m)). 

Proof: Each iteration through the loop costs at most P(m) 
since all polynomials are sparse of degree at most vm. Due 
to Invariant [4] and Line [9] each iteration decreases the upper 
bound on one of Vs row's value. We counted in © that this 
can done at most 0(£m) times. ■ 

VI. Power-Gao Decoding GRS codes 

Schmidt et al. demonstrated how one can decode low- 
rate Generalised Reed-Solomon (GRS) codes beyond half the 
minimum distance by solving an MLFSR fT2l . This "Power 
decoding" works by noting that the classical Key Equation can 
be extended to several ones. The resulting MLFSR problem 
could of course be solved using the algorithms of this paper. 

We will briefly present a similar decoding strategy which 
instead extends what one could call the Key Equation of Gao's 
decoding algorithm ifTJl . It should be noted that this algorithm 
could also be used for decoding Interleaved GRS codes, just 
as the one by Schmidt et al. lfT4l . 

Let C = {(/(«o), ■ • • , /K-i)) I / € V[x], deg/ < k} be 
a (simple) [n, k, d = n — k + 1] GRS code with evaluation 
points ao,.. . , ot n -i G F. Consider a sent codeword c € C 
which comes from evaluating some f(x). Let c be subjected 
to an unknown error pattern e e F™ such that r = c + e 
is received. Define the (unknown) error locator as A(x) = 



Y[ e jAo(x— otj). Define now also the known G(x) = YYj=v{ x ~ 
ctj) as well as R(x) by R(aj) = rj for j = 0, . . . , n — 1. 
Lemma 14: A(x)R i (x) = A(x)f l (x) mod G(x),i £ Z + 
Proof: Two polynomials are equivalent modulo G{x) if 
and only if they have the same evaluation at ao, . . . , a n _i. 
For on where 7^ 0, both sides of the above evaluate to zero, 
while for the remaining on both sides evaluate to A(aj)r* = 
A(a,)cj. ■ 
This leads us to consider the following MgLFSR: choose some 
i G Z+. Let G, = G and & = mod G), as well as 
v = 1, u>o = ^(fc — 1) and iUj = (i — — 1) for i = 1, . . . ,t. 
The vector s = (A, A/, . . . ,Af l ) will then be a solution to 
the MgLFSR. 

To find s with the algorithms of this paper, we need it also to 
be minimal, and that any other minimal solution is a constant 
multiple of s. We can estimate an upper bound on the degree of 
a minimal solution (A, ui\, . . . , 0Ji) as follows: since AS; = uii 
mod Gi implies that there exists pi G ¥[x] with deg pi = 
deg(XSi) such that A5; — PiGi = Wj, we can consider the 
MgLFSR as a homogeneous linear system of equations in the 
coefficients of X,pi, . . . ,pe, such that XSi —piGi should have 
coefficient for a; |degA-i/- 1 (t l >i-«'o)J ^(aso. Xhis lin . 

ear system has non-zero solutions whenever dcg A > jrfTi — 
— \l (k— 1). Thus, whenever the error locator A has degree 
at least this, we cannot hope that s is a minimal solution. 
For fewer errors than the above, we need a deeper analysis 
to estimate the probability that s will be essentially the only 
minimal solution; such an analysis is done for the original 
Power decoding lfT2l . where they find the same upper bound 
for error correction. 

Using Algorithm [T] we could solve this MgLFSR 
in 0(£ 2 n 2 ), while Alekhnovich's algorithm could do 
it in 0(£ 3 n log 2 n log log n). Algorithm [2] would be 
0(£n 2 log n log log n). One of the two latter will be 
fastest, but it will depend on the relation between n and I, 

VII. Conclusion 

We have introduced the generalisation MgLFSR of the well- 
studied problem of synthesising shift-registers with multiple 
sequences, and shown how this can be modeled as that of 
finding "minimal" vectors in certain ¥[x] modules. There are 
off-the-shelf algorithms in the literature for solving this, and 
we demonstrated how a particularly simple of those — the 
Mulders-Storjohann algorithm |6] — runs faster on MgLFSR 
instances than on general F[a;]-matrices. 

We then described how this algorithm is amenable to 
two speed-ups: firstly, a D&C-approach leads to the known 
Alekhnovich's algorithm |7| which we also showed has better 
than generic running time for MgLFSRs. 

Secondly, by observing that for MgLFSRs we can postpone 
calculations in a demand-driven manner, we reach an algo- 
rithm strongly resembling the Berlekamp-Massey algorithm 
for multiple sequences JT], Q, 02). 

These two variants are as fast as the best existing algorithms 
for the usual MLFSR, but they are more flexible and have easy 
proofs of correctness due to the algebraic foundations from 



module minimisation. The two speed-ups, unfortunately, seem 
incompatible. 

The utility of the MgLFSR generalisation was demonstrated 
by a new decoding algorithm for GRS codes: a variant of the 
"Power decoding" approach by Schmidt et al. lfT2l . Though 
this did not need the generalisation of the ;/-weight, that was 
included with the outlook of decoding Algebraic Geometric 
codes, inspired by the approach of Brander ifTTl . 
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